This background is presented for the purpose of generally describing the context of the disclosure. To the extent that the background includes the work of the presently named elements and other elements that do not qualify as prior art at the time of filing, such description is neither expressly nor impliedly admitted as prior art against the present disclosure.
Many processor types, including many microcontroller units (MCUs), contain bus masters/accelerators that can perform memory access independent of the processor. One example is a direct memory access (DMA) controller. A DMA controller is a shared system resource that enables other hardware subsystems, such as sensors (which are frequently employed by MCUs), to access system memory without intervention by the CPU. Indeed, a DMA can facilitate memory transactions between a sensor and system memory while the CPU is asleep. This advantageously enables MCUs to consume very low amounts of power while collecting sensor data. This is particularly important for MCUs, such as a growing array of internet-of-things (IOT) devices, that are supplied with battery power or other low-energy power supplies.
The ability of a DMA controller to facilitate memory transactions asynchronously of the CPU, however, presents security challenges when the CPU is asleep. Without the CPU available to administer an access control policy (or access mask), a potential exists for security breaches through the sensor. Because all channels have a full view of available DMA memory, it is not possible to containerize the individual DMA channels in terms of their view of system memory. Also, an attacker could launch a low-level denial of service attack by flooding the peripheral bus with constant requests through a compromised sensor input. This could throttle the peripheral bus's arbitration and scheduling mechanism enough to prevent the processor from servicing or controlling another peripheral, for example, a mechanical actuator. Or it could thwart other critical memory transactions—for example, a camera feed—from occurring.
One possible solution is to interrupt the CPU every time a peripheral or other hardware subsystem attempts to use the DMA. Once awoken, the CPU can block any memory access request that lacks the appropriate security attributes. But this defeats the advantage discussed above—enabling the CPU to sleep while the processor collects sensor data. The CPU cannot stay asleep as DMA operations are conducted. Another potential solution would be to require the RTOS to sanitize the DMA operation programming. This becomes a challenge for DMA operations that utilize complex programming models such as command linked-lists stored in system memory. The foregoing solutions would also require a large software overhead/intervention and greatly limit the power efficiency, performance and functionality of the processor.